The first step is to list all of the necessities I typically use in a week, and to figure out how to obtain each of these without plastic wrappers, bags or bottles. Here’s a first stab at the list:

Off to a good start! Unfortunately, the next item, “Yogurt,” looks a lot more daunting…

Last weekend I watched a terrific documentary about the bottled water industry called “Tapped.” The second half of the movie is an intensive look at the plastic bottle manufacturing industry, and the enormous damage that these petroleum-based products cause to our environment (ie. the Great Pacific Garbage Patch). Many plastic bottles and containers also leech hazardous chemicals, such as bisphenol A, into food.

With this in mind, I’ve decided to try a little experiment: To go one week without purchasing, or throwing away, anything made of plastic. Since plastic is a centerpoint of conflict, it seems fair to ask the question, “Can we live without it?” After all, if everyone on the planet stopped buying plastic, big companies would stop producing it, and a lot of environmental damage and conflict over access to natural resources would be avoided.

Normally on Philosecurity we focus on information security threats, but information security is of course just a part of the larger problem of global security. You can’t separate information security from social, economic or environmental factors. For example, one reason so many companies are suffering from intellectual property theft due to the “insider threat” is because employees are underpaid, mistreated and have no economic or social incentive to act in their employers’ best interest.

As our world’s environment degrades, the fights over clean water and life-sustaining resources will become increasingly violent and brutal. Over the next decades, as the global population becomes desperate for access to essential resources, corporations will have to work harder to defend their physical and network infrastructures from attack. On the flip side, social network data mining and surveillance efforts will heat up, as companies work to identify and splinter resistance groups (see, for example, Monsanto’s “army of private investigators” who intimidate and conduct surveillance operations against small farmers throughout the Midwest. (Vanity Fair, 2008)

The goal is simple, but executing it is very hard. Today I started planning and preparing for one week without consuming plastic. Stay tuned for more details!

To Rolling Stone,

Several months ago you began stamping my name and address on piles of dead trees and convincing the United States postal service to drop these unrequested items on my doorstep.

I like reading your magazine. It’s fun getting it delivered, and I enjoy learning about music and politics over breakfast. However, my respect for your business practices has been damaged by the action these deliveries represent: misuse of my personal information. I have never subscribed to your magazine. Rather, you purchased my name and address and hope to profit from it. You’re using me to beef up your “subscribers” list, lower the average age of your “readers,” and appease your shareholders.

Is this practice really in keeping with the concept of freedom that America, and your magazine, theoretically represent? I believe that a free country is one in which I can correspond with my friends, ride the subway, buy a book or rent a movie without having my actions tracked, my behavior analyzed and automated systems send me glossy packages afterwards in a manipulative attempt to milk me for my time and money.

As demonstrated by the growing amount of resources dedicated to the anti-spam industry, receipt of information is not free. Every time you or one of your business contemporaries sells my information, you contribute to the growing stack of mail which drowns my legitimate correspondence and sucks away my time and attention.

I understand that the magazine industry is rapidly changing, and in order to stay competitive, you must evolve your business strategies. Current fashion in the business world is to harvest information from individuals through enticement, theft and legitimate service, and then to sell or trade that information for profit behind the scenes. It is no wonder that you’ve chosen this technique. However, at one time, it was fashionable to buy and sell people in this country in order to stay competitive in the business world. Buying and selling people’s personal information without their knowledge and permission is just another, more subtle evolution of this exploitation.

Over the years, Rolling Stone’s authors and editors have often expressed strong support of social justice and individual freedom. This is what drew me to purchase your magazine at newsstands in the past, and the reason that I am taking the time to write to you today. I’d like to purchase your magazine in the future, but I can’t in good conscience support the unsolicited harvest and trade of personal information. I hope that you will publicly practice the values that your staff have so eloquently supported over the years by showing more respect for people’s time, attention and privacy.

To provide financial incentive, I’d like you to know that I will not purchase or read your magazine again until you:

1) Remove my personal information from your systems;

2) Assure me that in the future, you will never buy or sell my personal information without my explicit permission;

3) Donate $25 to the Electronic Frontier Foundation for the time I have spent responding to your repeated unsolicited mail.

I am not for sale, and neither is my personal information.

Thank you,

Sherri Davidoff

Hawken points out that “when a forest products company buys logging rights from the Forest Service at pennies to the dollar and then clear-cuts the area, leaving it degraded for the next hundred years, the “profit” from the sale of the wood goes to the corporation, but the loss of habitat and biodiversity is borne by society… The companies who practice driftnetting, sweeping monofilament nets thirty miles long through the oceans, will never be presented a bill for the decimation of Pacific fisheries.”

Similarly, organizations today are externalizing costs with respect to information collection and mismanagement. Companies collect enormous amounts of sensitive information about their customers– financial information such as credit card numbers, personal information such as social security numbers, shopping records, health records, communication records. This information is often very poorly managed and stored in many places on their network. Often, companies will claim to auditors that sensitive data is stored in a specific database, and completely ignore the fact that it is also cached in spreadsheets on employee desktops, on laptops, on the email server, and in backup tapes.

When a company sells personal data to another company, it profits from the sale but experiences no further liability, even though its customers are now at a higher risk of data theft and are never even informed of this fact. Data is often stored indefinitely, even after policy dictates that it should be deleted. If losses occur, they are often not detected; if they are detected, they are often not reported. This is because there is little incentive for companies to detect incidences of customer data loss, and even less incentive to report them. Even when regulation dictates that a loss must be reported, companies work to find loopholes and sometimes decide that risk incurred by deliberately hiding an incident is less than the definite cost of public disclosure.

If a company loses millions of credit card numbers, who bears the cost? As long as no one finds out that the company is to blame, then the customer and society bear the cost of dealing with credit card fraud. In today’s environment, companies benefit from harvesting, storing and processing consumer information, but are often able to pass costs of mismanagement, which include credit card theft and identity theft, back to the consumer. Companies are routinely able to cover up incidents and pass off risk, and therefore they achieve maximum profit when they store and sell customers’ data and do not bother investing in proper management.

Perhaps the most serious cost of information mismanagement is also the most dispersed, and the hardest to quantify. Across America, government, small businesses and corporations are dependent on IT, and store tremendous quantities of sensitive data on networks which are poorly secured. As a security consultant that has worked in many different industries over the past seven years, including finance, transportation, health, government and academia, I have seen this first hand. Nationally, we are at great risk of accident (such as the 2003 northeast blackout which was linked to a virus) and also vulnerable to deliberate large-scale attacks.

Hawken writes that “where harm and suffering exist because of market dealings– when the real costs of that market are not factored into the price of goods and services–we require the government as representatives of citizenry to step in and prevent those abuses, one way or the other.”

Bruce Schneier has called for a comprehensive data privacy regulation. While I agree that this is a step in the right direction, I have to wonder if economic solutions might be more efficient and effective than regulation. Hawken cites Pigovian taxes – the origin of “green taxes” as one economic solution to environmental problems. “Pigou argued that competitive marketplaces would not work if producers did not bear the full costs of production, including whatever pollution, sickness or environmental damage they caused. Pigou’s solution was to impose a ‘tax to correct maladjustments’ on producers, a tax that would be comparable to the avoidable cost or unborne expense. Pigou cited prematurely peeling paint on a house near a coal-fired mill as an example of an external cost that should be paid by the producer. He theorized that when the producer was forced to bear full costs, it would have incentives to reduce its negative impact, thus lowering those costs.”

Perhaps Pigovian taxes can be applied to information management in order to provide real incentives for companies to appropriately manage their data. For example, the government could tax corporations based on the amount and type of personal data stored, internal information management policies and the results of yearly information security audits.

Right now, personal information is cheap to harvest and profits are high. Companies clear-cut forests because they are able to absorb the short-term gains and pass off the long-term costs. Similarly, companies harvest information from consumers, store it carelessly and resell it, reaping short-term financial gains and passing off the costs. Using Pigovian taxes or a similar strategy, we could perhaps give companies quantifiable, assured financial incentives to reduce the amount of personal data stored, develop appropriate information management policies, and meet security standards.